tag:blogger.com,1999:blog-5308519492620460793.post1685183308341543566..comments2017-04-01T00:21:14.856-07:00Comments on Truth in SOA: Really Understanding the SSL/TLS Vulnerability (Part 1)Blake Dournaeehttp://www.blogger.com/profile/11796210780072721843noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-5308519492620460793.post-75272662242970105452012-04-13T09:45:37.077-07:002012-04-13T09:45:37.077-07:00I discovered your web site via Google while lookin...I discovered your web site via Google while looking for a related subject, lucky for me your web site came up, its a great website. I have bookmarked it in my Google bookmarks. You really are a phenomenal person with a brilliant mind!transgender dating sitehttp://www.dateats.com/noreply@blogger.comtag:blogger.com,1999:blog-5308519492620460793.post-7290590626157214822011-10-20T16:02:26.538-07:002011-10-20T16:02:26.538-07:00I am thoroughly convinced in this said post. I am ...I am thoroughly convinced in this said post. I am currently searching for ways in which I could enhance my knowledge in this said topic you have posted here. It does help me a lot knowing that you have shared this information here freely. I love the way the people here interact and shared their opinions too. I would love to track your future posts pertaining to the said topic we are able to read.buy viagra cheaphttp://buyviagragenericonlineuk7x24.comnoreply@blogger.comtag:blogger.com,1999:blog-5308519492620460793.post-48223087196721439662010-08-28T13:07:59.894-07:002010-08-28T13:07:59.894-07:00Hello .. firstly I would like to send greetings to...Hello .. firstly I would like to send greetings to all readers. After this, I recognize the content so interesting about this article. For me personally I liked all the information. I would like to know of cases like this more often. In my personal experience I might mention a book called <a href="http://www.buyonline-rx.com/" title="Generic Viagra" rel="nofollow">Generic Viagra</a> in this book that I mentioned have very interesting topics, and also you have much to do with the main theme of this article.nizhttps://www.blogger.com/profile/04528276377971658871noreply@blogger.comtag:blogger.com,1999:blog-5308519492620460793.post-44362921490533145132010-02-25T09:32:45.417-08:002010-02-25T09:32:45.417-08:00This comment has been removed by a blog administrator.オテモヤンhttp://e-nixi.com/blog/noreply@blogger.comtag:blogger.com,1999:blog-5308519492620460793.post-48743180945472279992010-01-12T17:14:22.118-08:002010-01-12T17:14:22.118-08:00Thanks anonymous - I fixed the typo :)Thanks anonymous - I fixed the typo :)Blake Dournaeehttps://www.blogger.com/profile/06289232651373567239noreply@blogger.comtag:blogger.com,1999:blog-5308519492620460793.post-37272674706065624522010-01-12T15:23:50.023-08:002010-01-12T15:23:50.023-08:00I think it is unlikely that this vulnerability was...I think it is unlikely that this vulnerability was announced on November 4, 2010 unless you have some kind of time machine. :-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5308519492620460793.post-23601912582586447882009-12-10T12:24:41.516-08:002009-12-10T12:24:41.516-08:00Thank you very much for taking the time to read th...Thank you very much for taking the time to read through the write-up. I was stunned when I read about the vulnerability and felt I needed to describe it more fully.<br /><br />I changed my original blog post to reflect 2 of your 3 comments. I checked the SSL specification and you are indeed correct - renegotiation can happen for no good reason - e.g. simply by resending the client hello. This makes the problem just a little worse in my view (Section 7.4.1.2. Client hello from RFC 2246).<br /><br />On your second point, I corrected the description of the behavior of the MITM with respect to its client hello, which would be a new client hello rather than forwarding the original client hello.<br /><br />Finally, for the last point, let me see if I can explain my rationale on the chosen plain-text attack.<br /><br />Let&#39;s agree on the following:<br /><br />1. The MITM does <b>NOT</b> have access to the symmetric key used to encrypt a corresponding response to his injected plain-text in step 14.<br /><br />2. The MITM has some corresponding cipher-text to some easily guessable plain-text, <i>triggered by the message sent in step 14</i>. That is, he doesn&#39;t have the directly corresponding plain-text in step 14, but has access to to the response triggered by this chosen plain-text. In this sense, it is a once-removed chosen-plain-text attack.<br /><br />In the best case the attacker could have chosen an HTTP request that generates a known response. Here, something like an &quot;echo&quot; service comes to mind. The attacker will be able to generate a plain-text/cipher-text pair.<br />In the worst case, he or she would know part of the plain-text as the response would likely be HTTP 200 OK, for instance. The MITM receives this cipher-text in step 30.<br /><br />3. The cipher-text in step 30 is the cipher-text encrypted with the just negotiated key. So, in theory (until the next renegotiation), the MITM has a greater chance (but certainly not a perfect chance) of gaining some key information. This information may be increased if the attacker knows any information about the response encrypted in step 30. In other words, a sophisticated attacker could use this vulnerability not to inject code to cause havoc, but to aid in breaking the key used in a renegotiated session. I think this is a low-risk vulnerability compared to the renegotiation gap, but I still think it needs to be highlighted. <br /><br />I am basing this reasoning on the &quot;paranoia&quot; model for protocol security - if there is a weak link we can assume the attacker will find it.<br /><br />Any further comments are welcome!Blake Dournaeehttps://www.blogger.com/profile/06289232651373567239noreply@blogger.comtag:blogger.com,1999:blog-5308519492620460793.post-31952431567549947302009-12-04T21:33:01.092-08:002009-12-04T21:33:01.092-08:00Nice write-up. A couple of points of clarification...Nice write-up. A couple of points of clarification, though.<br /><br />First off, there is no need to use client certificates, or even to &quot;trigger&quot; the server into renegotiating. The mitm can simply forward on the original client hello, and any vulnerable server will start renegotiating. The stuff about needing an upgrade in cipher suite or a client cert is true, as far as it goes, but client-initiated renegotiation is possible without any of that. I think you basically said this in the middle, but I wanted to punch it up for clarity, since it greatly influences the severity of the flaw.<br /><br />Secondly, the description is slightly off on one point. The MITM caches the client&#39;s original Client Hello packet and initiates his own SSL session with the server using a brand new CH packet. Only once he&#39;s ready to hook the original client up to the connection (after having injected his plaintext) does he then forward on the cached CH packet.<br /><br />One other very minor point- don&#39;t forget that a new symmetric key is negotiated once renegotiation is triggered, so the chosen plaintext attack trying to derive the symmetric key won&#39;t do you any good (or perhaps I misunderstood what you wrote).<br /><br />Looking forward to part 2!<br /><br /> -SteveStevehttps://www.blogger.com/profile/15775494312273647288noreply@blogger.com